ASP.Net MVC Scribblings
  • Introduction
  • Introduction
    • My ASP.net MVC Scribblings
    • Test
  • ASP.net MVC
    • Routing
    • Passing Data in MVC
      • ViewData and ViewBag
      • ViewData / ViewBag
      • TempData
      • Session Variables
    • ModelBinder
    • Advantages of MVC over WebForms
    • Data Annotation
    • RAZOR
    • ActionName decorator for overloaded Controller actions
    • Security
      • CSRF
      • XSS
    • Shared Layout page
    • Custom Claims-based Windows Authentication in ASP.net MVC 5
Powered by GitBook
On this page

Was this helpful?

  1. ASP.net MVC
  2. Security

XSS

XSS Attack = Cross-site scripting attack

A user enters some malicious scripting code like below in one of the input fields on your website form.

<script>
 $http.post("\transferMoney", {amount: 1000000, toAccount: "111AttackersAccount"});
</script>

To avoid such XSS attacks, all MVC Controller's actions by default don't process the request and send back error if any HTML code is sent in the request.

In case you want some Controller action to allow HTML in the requests, use the decorator ValidateInput(false) on the action method:

    class MoneyTransactionController: Controller 
    {
        [ValidateInput(false)]
        public ActionResult Transfer()
        {
            //business logic to handle money transfer
            return View();
        }

    }

And in case you want to allow HTML for some specific field in a form instead of the whole Controller Action, use AllowHTML at the property level in the Model of the data.

namespace MyMVCApplication.Models 
{
    public class CodeSample
    {
        public string SubmittedBy { get; set; }

        [AllowHTML]
        public string Code { get; set; }

    }

}
PreviousCSRFNextShared Layout page

Last updated 5 years ago

Was this helpful?